12-19-2011 04:33 PM - edited 07-03-2021 09:16 PM
I have 2 cisco 1141 aironets access points.
I've fallowed this tutorial:
http://evilrouters.net/2008/11/19/configuring-freeradius-to-support-cisco-aaa-clients/
I have an ubuntu server running freeradius authenticating against an LDAP server.
Now I'm able to log into the AP via ssh with my LDAP credentials.
What I can't figure out is how do I setup the AP so when people connect to the AP's wireless they are prompted to use their LDAP credentials.
I've gone through a bunch of different articles online and I feel that I'm just confusing myself even more.
12-21-2011 08:31 AM
Can you post the config of the AP? I'd like to see where you are currently at.
12-21-2011 09:37 AM
Thank you for the help.
Here is the config
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cldap2
!
enable secret 5
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
ip domain name something.net
!
!
dot11 syslog
dot11 vlan-name inside vlan 2
dot11 vlan-name test2 vlan 22
!
dot11 ssid WiFi
vlan 22
authentication open
authentication key-management wpa optional
mbssid guest-mode
wpa-psk ascii 7
!
dot11 ssid inside
vlan 2
authentication open
authentication shared
mbssid guest-mode
!
!
crypto pki trustpoint TP-self-signed-1224361256
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1224361256
revocation-check none
rsakeypair TP-self-signed-1224361256
!
!
crypto pki certificate chain TP-self-signed-1224361256
certificate self-signed 01
quit
!
!
ip ssh logging events
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
shutdown
!
encryption vlan 22 key 2 size 128bit 7
encryption vlan 22 mode ciphers aes-ccm tkip wep128
!
broadcast-key vlan 22 change 60
!
!
ssid WiFi
!
ssid inside
!
antenna gain 0
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
infrastructure-client
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex full
speed auto
no keepalive
!
interface GigabitEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface BVI1
ip address 10.12.20.124 255.255.255.0
no ip route-cache
!
ip default-gateway 10.12.0.2
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
access-list 111 permit tcp any any neq telnet
snmp-server community
snmp-server location Solana Beach, California, USA
snmp-server contact
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server host 10.12.10.3
radius-server host 10.12.10.3 auth-port 1812 acct-port 1813 key 7
bridge 1 route ip
!
!
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
!
sntp server 10.12.10.3
end
12-21-2011 12:43 PM
Ok, so pasting this into your AP should work
conf t
aaa group server radius rad_eap
server 10.12.10.3 auth-port 1812 acct-port 1813
exit
!
Dott11radio0
encryption vlan 2 mode ciphers aes-ccm
exit
!
dot11 ssid inside
vlan 2
no authentication shared
authentication open eap rad_eap
authentication key-management wpa version 2
exit
So I'll explain:
aaa group server radius rad_eap
server 10.12.10.3 auth-port 1812 acct-port 1813
This configures the AP to use a server group, and in the config this server group is referred to as 'rad_eap'. If you need to add more servers for user authenticaion, you just need to go under the group and add more servers.
Dot11radio0
encryption vlan 2 mode ciphers aes-ccm
This tells the radio, that for vlan two, we are going to use the cipher suite of aes. If your clients do not support WPA 2, change this to encryption vlan 2 mode ciphers tkip.
dot11 ssid inside
vlan 2
no authentication shared
authentication open eap rad_eap
authentication key-management wpa version 2
Now this is where we tell the SSID, how we are going to work with the client. You shouldn't need authentication shared, for EAP. Really shouldn't need it for a PSK either, most clients will work with just authentication open.
the authentication open line, tells the AP that we are using an open authentication, that we are expecting EAP requests from the client, and what server group it should send the AAA requests to.
Finally, we are telling the SSID that we only want clients that can do WPA 2. If your clients do not support WPA 2, then change this line to be authentication key-management wpa
This should get you working with using EAP for your clients.
HTH,
Steve
----------------------------------------------------------------------------------------------------------
Please remember to rate helpful posts or to mark the question as answered so that it can be found later.
12-21-2011 03:08 PM
I made those changes and I had freeradius in debug mode. When I started authentication on ssid Mike I would get a login box for username/passwod but when authentication starts freeradius isn't getting any request but when I ssh into the AP I get a request.
Sorry, I forgot to mention I'm using the ssid Mike.
Thanks again for your help.
Here is my config after the changes:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cldap2
!
enable secret 5
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.12.10.3 auth-port 1812 acct-port 1813
!
aaa authentication login default group radius local
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
ip domain name onerecovery.net
!
!
dot11 syslog
dot11 vlan-name inside vlan 2
dot11 vlan-name test2 vlan 22
!
dot11 ssid Mike
vlan 22
authentication open eap rad_eap
authentication key-management wpa version 2
mbssid guest-mode
!
!
crypto pki trustpoint TP-self-signed-1224361256
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1224361256
revocation-check none
rsakeypair TP-self-signed-1224361256
!
!
crypto pki certificate chain TP-self-signed-1224361256
certificate self-signed 01
quit
username Cisco privilege 15 password
!
!
ip ssh logging events
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 22 mode ciphers aes-ccm
!
broadcast-key vlan 22 change 60
!
!
ssid Mike
!
antenna gain 0
mbssid
speed basic-1.0 basic-2.0 basic-5.5 basic-11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root access-point
infrastructure-client
!
interface Dot11Radio0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 2
bridge-group 2 subscriber-loop-control
bridge-group 2 block-unknown-source
no bridge-group 2 source-learning
no bridge-group 2 unicast-flooding
bridge-group 2 spanning-disabled
!
interface GigabitEthernet0
no ip address
no ip route-cache
duplex full
speed auto
no keepalive
!
interface GigabitEthernet0.2
encapsulation dot1Q 2 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.22
encapsulation dot1Q 22
no ip route-cache
bridge-group 2
no bridge-group 2 source-learning
bridge-group 2 spanning-disabled
!
interface BVI1
ip address 10.12.20.124 255.255.255.0
no ip route-cache
!
ip default-gateway 10.12.0.2
no ip http server
ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
access-list 111 permit tcp any any neq telnet
snmp-server community ORVjkPtki8q RO
snmp-server location Solana Beach, California, USA
snmp-server contact OneRecovery NOC -
snmp-server enable traps snmp authentication linkdown linkup coldstart
snmp-server host 10.12.10.3
radius-server host 10.12.10.3 auth-port 1812 acct-port 1813 key 7
bridge 1 route ip
!
!
!
line con 0
access-class 111 in
line vty 0 4
access-class 111 in
!
sntp server 10.12.10.3
end
12-21-2011 03:29 PM
gah! silly cut and paste. It missed one of the commands:
radius-server attribute 32 include-in-access-req format %i
This tells the AP to send it's IP address to be processed by the AAA.
12-21-2011 04:00 PM
I added:
radius-server attribute 32 include-in-access-req format %i
I'm still getting the same results. The freeradius server isn't getting any request from the AP when a user joins the ssid Mike.
12-22-2011 07:54 AM
Double checked that document you posted. That only goes over the config for using freeRADIUS as an authenticator for device management login.
Take a look at the link below that coves configuring freeRADIUS for PEAP.
http://tldp.org/HOWTO/8021X-HOWTO/freeradius.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide